WSHRat Hidden Browser

WSHRat is a Remote Access Trojan a malware that allows the attackers to take over the infected machines

WSHRat is a Remote Access Trojan a type of malware that attackers use to gain remote control of machines and steal information. This particular RAT has seen several revisions, and depending on the version it’s also known

This RAT was first used in attacks against energy sector companies all around the world. With time, the malware became widely available and attackers used it in less coordinated attacks. The most recent version of WSHRAT changed target victims and now focuses on the banking sector.

The functionality of this RAT can vary by version, but they commonly include:

  • The ability to take screenshots.
  • The ability to modify files.
  • The ability to access email and web browser credentials.
  • The ability to manipulate and kill running system processes.

The malware surfaced for the first time in 2013 when it was known under the name H-worm. At the time, it was a RAT written in VBS (Visual Basic Script) programming language. Already, some samples featured code obfuscation and the malware packed with some advanced info-stealing functions.

The malware was developed by a user known in the underground community as Houdini. Houdini used to host a website, where people could learn about the capabilities of the RAT from an explanation video. Analysis of the content allowed researchers to conclude with a high degree of certainty, that Houdini is likely to be Algerian. This is mainly based on his fluent knowledge of French and Arabic languages.

It should be noted while analyzing the first samples of WSHRAT, researchers found out that it has similarities in command and control infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy. These are all RATs operated by the njq8 cybergang. It is likely, that Houdini is collaborating with the gang, or he could even be a part of the njq8 syndicate.

The malware became relatively popular and VBS versions circulated in the wild for a while. In 2015, the author came out with an announcement of his plans to rewrite the malware in the Delphi programming language.

However, another version that researchers started investigating in 2016 still used VBS. This time, the RAT came in SFX files and exhibited new behavior. For example, it would launch a YouTube or open a browser URL as a decoy to hide its execution and infection happening in the background. Among others, the 2016 version of WSHRAT can be distinguished by its use of mixed binary and ASCII protocols over TCP.

The newest version of WSHRAT has popped up in 2019. This iteration of the malware targets the commercial banking sector. The RAT was completely rewritten in JavaScript from the original code of Visual basic. However, most aspects of the updated version remained identical to the older iterations. For example, it uses the same URL structure for C2 servers and exhibits similar behavior patterns.

This version is available to purchase for 50 USD and it is heavily marketed on the underground forums. In particular, the marketing campaign highlights such features of the RAT like WinXP-Win10 compatibility and a large number of information stealing and remote control functions.

WSHRat Hidden Browser Download

Zip Password :

Contact For License Key :